Auth Problem Deploying Neon Proxy Locally


I am very interested in learning about Neon and how it works. I followed the procedures on local deployment and managed to have every components set up locally.

There is a process called “proxy” and is responsible for routing incoming connections to a compute node based on the SNI in the client certificate and I would like to set up this proxy locally as well but ran into some issues that I am unsure how to solve.

I started the proxy like this, where server.crt and server.key were generated using openssl commands described in the proxy’s readme file in source repo. I would like to use postgres to authenticate as I do not have an authentication server setup.

proxy -c server.crt -k server.key --auth-backend="postgres"

I connect to proxy with psql like this, and got a “Console request failed” error message

psql "postgres://cloud_admin:cloud_admin@"

On the proxy side, it prints

2023-04-13T18:27:54.571468Z  INFO accepted postgres client connection from
2023-04-13T18:27:54.571516Z  INFO spawned a task for
2023-04-13T18:27:54.571919Z  INFO handle_client:handshake: received SslRequest
2023-04-13T18:27:54.575478Z  INFO handle_client:handshake: received StartupMessage { major_version: 3, minor_version: 0, params: StartupMessageParams { params: {"client_encoding": "UTF8", "application_name": "psql", "user": "cloud_admin", "database": "postgres", "options": "project=compute1"} } }
2023-04-13T18:27:54.575496Z  INFO handle_client:handshake: successful handshake session_type="normal"
2023-04-13T18:27:54.575521Z  INFO handle_client: credentials user="cloud_admin" project="compute1"
2023-04-13T18:27:54.575536Z  INFO handle_client: registered new query cancellation key CancelKeyData(ffffffffa1b9aea0)
2023-04-13T18:27:54.575553Z  INFO handle_client:authenticate: performing authentication using a local postgres instance user="cloud_admin" project="compute1"
2023-04-13T18:27:54.575563Z  INFO handle_client:authenticate: fetching user's authentication info
2023-04-13T18:27:54.575589Z ERROR handle_client:authenticate:get_auth_info:postgres{url="http://localhost:3000/authenticate_proxy_request/"}: Console request failed: invalid connection string: unexpected EOF
2023-04-13T18:27:54.575619Z  INFO handle_client: forwarding error to user: Console request failed
2023-04-13T18:27:54.575668Z  INFO handle_client: dropped query cancellation key CancelKeyData(ffffffffa1b9aea0)
2023-04-13T18:27:54.575692Z ERROR per-client task finished with an error: Console request failed: invalid connection string: unexpected EOF: invalid connection string: unexpected EOF: unexpected EOF
OpenTelemetry trace error occurred. error sending request for url (https://localhost:4317/): error trying to connect: tcp connect error: Cannot assign requested address (os error 99)

Seems like it tries to get_auth_info for postgres from this URL http://localhost:3000/authenticate_proxy_requestthat I don’t have this service locally.

Has anyone been able to set up the proxy process locally? How do I host an authentication server locally so that the proxy can continue the authentication and eventually wake up a compute node?

thank you so much! All help appreciated!

Hey, @cary_huang.

Thanks for your interest in the Neon project.

You understood pretty correctly the reason for which proxy is used. But it’s not the whole picture. Proxy doesn’t only terminate the SSL connection, but it also initializes the compute instance through our private component (request to localhost:3000). Unfortunately, we didn’t open-source this component yet.

Proxy is mainly used for, where our users connect to Neon, and proxy understands who these users are and whether we need to wake up compute for them.

For your local setup, you can use the neon_local binary that spins up Pageserver, Safekeeper, and Storage Broker and allows you to run Postgres. You don’t need a proxy; you can connect directly to Postgres.